Very High
CVE-2023-21716
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2023-21716
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Microsoft Word Remote Code Execution Vulnerability
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
A vulnerability in Microsoft’s Word wwlib allows attackers to get LCE with the privileges of the victim opens a malicious
RTF document. An attacker would be able to deliver this payload in several ways including as an attachment in spear-phishing attacks.
Affected Versions
This vulnerability affects at least the following versions of Microsoft Office:
- Microsoft Office 365 (Insider Preview – 2211 Build 15831.20122 CTR)
- Microsoft Office 2016 (Including Insider Slow – 1704 Build 8067.2032 CTR)
- Microsoft Office 2013
- Microsoft Office 2010
- Microsoft Office 2007
Acknowledgement
This issue was discovered, analyzed, and reported by Joshua J. Drake (@jduck).
PoC code from @jduck:
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- office 2019,
- office long term servicing channel 2021,
- office online server 2016,
- office web apps 2013,
- sharepoint enterprise server 2013,
- sharepoint enterprise server 2016,
- sharepoint foundation 2013,
- sharepoint server -,
- sharepoint server 2019,
- word 2013
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
There’s user interaction required here, right?
Yes, in case the exploit code is hidden as an attachment, the user should open that attachment.
arevulnerable too
Note that, even if user interaction is required, it can be minimal. According to Microsoft, the Preview Pane is also an attack vector, which means the user doesn’t need to open the file. Loading the RTF document in the Preview Pane should also trigger the vulnerability.